Copy of Secondary menu for mobile menu

General Data Protection Regulation (GDPR)

Summary

As part of the National Democratic Institute (NDI) ongoing mission to work for democracy and make democracy work around the world, we are updating some of our policies to ensure the privacy of those who interact with the Institute.

Please feel free to review NDI's updated privacy policy, data retention policy, and terms and conditions. These changes, as well as changes to our online platforms, are intended to bring them into alignment with General Data Protection Regulation (GDPR). A phased approach to compliance is described below.

What Is GDPR?

GDPR, also known as EU Regulation 2016/679, is designed to strengthen and unify data protection for the personal information of all individuals (“data subjects’) affected by the regulation. GDPR provides the context, guiding principles, and governance framework for collecting and processing personal data. Organizations with more than 250 employees (or all organizations wherein processing of personal data is not occasional or includes particular types of sensitive personal data) and that store personal data of those individuals within EU states, must comply with the GDPR, even if the organization is located or operates outside the EU. On May 25, 2018, it went into enforcement, replacing the Data Protection Directive (Directive 95/46/EC) of 1995.

A key focus of the regulation is on the data controllers and processors that manage personal data. The GDPR highlights expectations of the data controllers and processors to implement appropriate technical and organizational measures to maintain the confidentiality, integrity, and availability of personal data.

Our Roadmap to Compliance

What We’re Doing and When

Below, find a detailed list of outcomes NDI is working to ensure our compliance and assist with the compliance of our partner organizations. A quick note on timelines: we’ve already started with many of these new initiatives and will continue to update this page as they’re implemented over the over the coming months.

But first, a quick primer on the legalese associated with the GDPR.

GDPR Primer

Let’s say that Jane Doe is a contact in one of our Google Forms (e.g. an event registration form) and an EU resident. According to the GDPR, she's called the "data subject." In this example, that means NDI is the "controller" of that data and Google acts as the "processor" of Jane’s data on behalf of NDI. With the introduction of the GDPR, data subjects like Jane are given an enhanced set of rights, and controllers and processors like NDI and Google, respectively, an enhanced set of regulations.

Key Requirements

The actions for the defined key requirements are applicable to all EU residents that consent to providing their data to the National Democratic Institute.

Lawful basis of processing

What it means

You need to have a legal reason to use Jane’s data. That reason could be consent (she opted in) with notice (you told her what she was opting into), performance of a contract (e.g. she’s a constituent and we want to send her a receipt after her donation), or what the GDPR calls “legitimate interest” (e.g. she’s a constituent and we want to send her a information on where to vote).

You need the ability to track that reason (also known as “lawful basis”) for a given contact.

Actions

Many NDI partners leverage our CiviCRM DemTool. Civi, is a Contact management for constituent engagement. We will be adding brand new rules and features to our contact management system (CiviCRM) to track lawful basis by installing a GDPR extension. This will enable the Institute to, for example, record that Jane granted lawful basis when Jane signed up for a newsletter.

In addition, we will be able to track and audit lawful basis with Jane’s “user history.”

Consent

What it means

One type of lawful basis of processing is consent with proper notice.

In order for Jane to grant consent under the GDPR, a few things need to happen:

She needs to be told what she’s opting into. That’s called “notice.”

She needs to affirmatively opt-in (pre-checked checkboxes aren’t valid). Her filling out a form alone cannot implicitly opt her into everything your company sends.

The consent needs to be granular, meaning it needs to cover the various ways we process and use Jane’s personal data (e.g. marketing email or polling station location SMS). You must log auditable evidence of what Jane consented to, what she was told (notice), and when she consented.

Actions

We will be auditing all the ways NDI collects personal data to ensure that they include an affirmative opt-in mechanism and provide Jane a clear understanding of what she is opting into.

For example, when Jane sends a message to NDI staff via the contact form on our website she have to click a box that says that she understand that she is agreeing to receive messages from NDI and be subscribed to NDI’s newsletter.

Withdrawal of consent (or opt out)

What it means

Jane needs the ability (as data subject) to see what she’s signed up for, and withdraw her consent (or object to how you’re processing her data) at any time. In other words, withdrawing consent needs to be just as easy as giving it.

Actions

For CiviCRM instances like contribute.ndi.org, Jane can withdraw her consent from your subscription preferences page. Once the above changes on consent are made, that page will reflect her affirmative opt-in for each type of communication. On the instances' subscription preferences page, she can easily withdraw that consent. Alternatively, if we receive a withdrawal of consent directly from Jane, we will be able to modify the lawful basis contact property we mentioned above.

In addition, all 1:1 email sent via 3rd party tools as identified in the Data Inventory will be updated to allow the inclusion of unsubscribe links.

Cookies

What it means

Jane needs to be given notice that you're using cookies to track her (in language she can understand) and needs to consent to being tracked by cookies.

*** We know the ePrivacy Regulation is coming, and that it may have an impact on how cookies are regulated. We’ll adjust our product accordingly.

Actions

NDI will update the default language for enabling cookies on NDI-hosted websites to reflect affirmative opt-ins, and make it possible to show the cookie-consent message in the right language, based on Jane's location.

Deletion

What it means

Jane has the right to request that you delete all the personal data you have about her. The GDPR requires the permanent removal of Jane’s contact from your database, including email tracking history, call records, form submissions and more.

In many cases, we’ll need to respond to her request within 30 days. The right to deletion is not absolute, and can depend on the context of the request, so it doesn’t always apply.

Actions

Jane will be able to perform a GDPR-compliant permanent delete by contacting NDI through its website.

Access / Portability

What it means

Just as she can request that you delete her data, Jane can request access to the personal data you have about her. Personal data is anything identifiable, like her name and email address. If she requests access, you (as the controller) need to provide a copy of the data, in some cases in machine-readable format (e.g. CSV or XLS).

Jane is able to request access to her personal data by contacting NDI through its website.

Modification

What it means

Just as she can request to delete or access her data, Jane can ask NDI or Partner to modify her personal data if it’s inaccurate or incomplete. If and when she does, you need to be able to accommodate that modification request.

Actions

Jane is able to request modifications to her personal data by contacting NDI through its website.

Security Measures

What it means

The GDPR requires a slew of data protection safeguards, from encryption at rest and in transit to access controls to data pseudonymization and anonymization.

Actions

As part of NDI's approach to the GDPR, we are strengthening our security controls across the board.

In addition to industry standard practices around encryption, NDI is also improving our systems for authentication, authorization, and auditing at a massive scale to better protect user data.

Frequently Asked Questions

When will NDI be updating its legal docs?

What else is NDI doing to protect your data under the GDPR?

NDI is working toward implementing “security by design” and “privacy by design” standards to continuously monitor and protect your private information.This means NDI commits to promote privacy and data protection compliance from the start of every project and by default.

Does the GDPR require personal data to be stored in the EU? What does NDI do to ensure lawful data transfers from the EU?

No. There is no obligation under the GDPR for data to be stored in the EU and the rules regarding transfer of personal data outside the EU remain largely unchanged. The GDPR permits transfers of personal data outside of the EU subject to certain conditions.

I receive newsletters from NDI for which I did not give opt-in records. How do I request access to my records or request the deletion of my records?

Will NDI be able to comply with the right to erasure (also known as the “right to be forgotten”)?

Yes

How will my personal information be used if I am participating in an NDI event?

NDI will collect personal information to arrange travel and to comply with audit and accounting processes. NDI may also use the personal information of program participants to report on activities to its donors.

How will my personal information be used if I am hired as a consultant with NDI?

NDI will collect personal information to arrange travel, to process consultant contracts, to issue payments, and to comply with audit and accounting processes. NDI may also use the personal information of consultants to report on activities to its donors.

Can I enter into a Data Processing Addendum (DPA) with NDI DemTools?

NDI makes available a Data Processing Addendum (DPA) for GDPR. The GDPR DPA is available to all of our programs and partner organizations. If you would like to incorporate the GDPR DPA into your existing agreement with NDI, please email us and we will promptly send you NDI's Data Processing Addendum for you to complete, sign and return to us.